Adding DC in second AD 2003 site not creating automatic replicationto all DCs?

[Guest Rob Gordon]

The current Active Directory domain topology of my native Windows 3003

R2 Server (with all patches applied), looks like the following:

 

DC1: Native Win2K3 R2 (Global Catalog and AD-integrated DNS server)

DC2: Native Win2K3 R2 (Global Catalog and AD-integrated DNS server)

DC3: Native Win2K3 R2 (non-Global Catalog, legacy Certificate Server)

 

The FSMO roles have all been split between DC1 and DC2.

 

I have recently added a site (call it Second-Site)to our domain, and am

in process of adding a DC to that site, to act as a local GC since it

will be across a WAN connection from the default First-Site. Call it DC4.

 

When I do a dcpromo on this server, it goes through the process of

setting of Active Directory but after I reboot and go to look in AD

Sites and Services, I notice the following:

 

1. If I look at the NTDS Settings for DC4 in Second-Site, I see that a

replication connection has been automatically created FROM DC1, but not

from DC2 or DC3. Additionally, a connection replicating TO DC3 is

automatically generated, but not to either DC1 or DC2.

 

It's my understanding that when I added the new DC to Second-Site that

it should have automatically generated the replication connections

between all three original DC3, for redundancy. Is this not the way it

works?

 

2. The certificate server on DC3 issued certs to DC1 and DC2 as Domain

Controllers, but I don't see a cert having been generated and issued to

DC4 from that cert server. This certificate server was a left over from

the original topology of the network, and I am hesitant to remove it as

a DC or a Cert Server until I understand what it's function truly is.

What should I check for in the Default Domain Controller GPO, to

determine if the cert server is being invoked?

 

Any feedback you can offer is greatly appreciated.

[Guest Marcin]

Re: Adding DC in second AD 2003 site not creating automatic replication to all DCs?

 

Re: Adding DC in second AD 2003 site not creating automatic replication to all DCs?

 

Rob,

Regarding your first question - automatically generated intersite

replication topology uses spanning tree algorithm (no redundant

connections). Intrasite replication topology ensures that there are no more

than three hops between any two domain controllers within the same site - so

you would see there redundant connections.

As far as the second question is concerned - can you clarify what

certificates you are referring to? CA is an optional component in Active

Directory - not required for it to be operational - but you might have some

custom legacy dependencies...

 

hth

Marcin

[Guest Rob Gordon]

Re: Adding DC in second AD 2003 site not creating automatic replicationto all DCs?

 

Ah well then if that's the case the the intersite replication appears to

have taken effect as expected then.

 

What you describe is only for intersite replication correct? Intrasite

replication generates multiple automatic replication connectors between

DCs, yes?

 

As for the CA issuing server, I can see under Issued Certs, that it

automatically issues a certificate to all the DCs in First-Site, so I'm

assuming there's something in the Default Domain Controller policy that

triggered this. I am looking through it now with the GPMC...

 

Marcin wrote:

> Rob,

> Regarding your first question - automatically generated intersite

> replication topology uses spanning tree algorithm (no redundant

> connections). Intrasite replication topology ensures that there are no more

> than three hops between any two domain controllers within the same site - so

> you would see there redundant connections.

> As far as the second question is concerned - can you clarify what

> certificates you are referring to? CA is an optional component in Active

> Directory - not required for it to be operational - but you might have some

> custom legacy dependencies...

>

> hth

> Marcin

>

>

[Guest Saral6978]

Re: Adding DC in second AD 2003 site not creating automatic replic

 

Re: Adding DC in second AD 2003 site not creating automatic replic

 

I have sort of the same issue here. I just added a new Win2003R2 DC to an

existing domain: 2 local DCs (both Win2003) plus this new one at my location,

and 1 DC each at my 2 other locations. I have 3 sites in Active Sites &

Services and my new server is only generating automatically in the "local"

site. It won't show up in my other 2 remote sites' NTDS Settings

automatically like I figured it would. The goal is to demote my older 2 DCs

and have this new one be the "primary" at my location, holding all roles,

etc, but if I can't get this server to show up in the other 2 locations'

sites, I think I'm going to have some problems with replication.

 

Any suggestions?

[Guest Saral6978]

RE: Adding DC in second AD 2003 site not creating automatic replicatio

 

RE: Adding DC in second AD 2003 site not creating automatic replicatio

 

Well, I've decided instead of spinning my wheels, I'm calling Microsoft on

this. This has always been an issue for me, but replication has worked

because at least 1 of my DCs at one of my remote locations. I've had DCs A,

B, C, and D (original config):

 

Local site - DCs A and B

A and B show up in Site 1's NTDS settings automatically

 

Remote site 1 - DC C

C, B, D show up in in Site 2's NTDS settings automatically

 

Remtoe site 2 - DC D

D, C show up in Site 3's NTDS Settings automatically

 

Now I have this new server, E, which shows up in Site 1, but nothing else.

When I eventually take away servers A, B, I'm going to have issues, I'm sure

since E won't show up in my other 2 remote sites.

 

I can't seem to find very much info on getting Intra-Site replication

working with sites that have different IPs. I'd like ALL my DCs to show up

in each Site's NTDS settings, but I guess I don't know if that works or not.

This new server will again, also house all the FSMO roles and the other 2 in

my local site are being demoted and used for other things.

[Guest Rob Gordon]

Re: Adding DC in second AD 2003 site not creating automatic replicatio

 

Re: Adding DC in second AD 2003 site not creating automatic replicatio

 

Please let me know what you hear from MS, as I haven't found much info

on intersite versus intra-site replication.

 

Saral6978 wrote:

> Well, I've decided instead of spinning my wheels, I'm calling Microsoft on

> this. This has always been an issue for me, but replication has worked

> because at least 1 of my DCs at one of my remote locations. I've had DCs A,

> B, C, and D (original config):

>

> Local site - DCs A and B

> A and B show up in Site 1's NTDS settings automatically

>

> Remote site 1 - DC C

> C, B, D show up in in Site 2's NTDS settings automatically

>

> Remtoe site 2 - DC D

> D, C show up in Site 3's NTDS Settings automatically

>

> Now I have this new server, E, which shows up in Site 1, but nothing else.

> When I eventually take away servers A, B, I'm going to have issues, I'm sure

> since E won't show up in my other 2 remote sites.

>

> I can't seem to find very much info on getting Intra-Site replication

> working with sites that have different IPs. I'd like ALL my DCs to show up

> in each Site's NTDS settings, but I guess I don't know if that works or not.

> This new server will again, also house all the FSMO roles and the other 2 in

> my local site are being demoted and used for other things.

>

>